The branch, v3-6-stable has been updated
via 6e1ba4c CVE-2014-0178 patch for 3.6
from 260ab8a VERSION: Bump version up to 3.6.25.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable
- Log -----------------------------------------------------------------
commit 6e1ba4cf362165a2c8120874bd6951615aef4599
Author: Jiří Šašek <[email protected]>
Date: Mon Sep 15 19:23:55 2014 +0200
CVE-2014-0178 patch for 3.6
Samba 3.6.23 patch for:
FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to, zero
...derived from Christof Schmitt <[email protected]>'s patch for
Samba 4.0
http://www.samba.org/samba/ftp/patches/security/samba-4.0.17-CVE-2014-0178-CVE-2014-0239.patch
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10549
CVE-2014-0178: Malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response
-----------------------------------------------------------------------
Summary of changes:
source3/smbd/nttrans.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
index 4c145e0..b9a6620 100644
--- a/source3/smbd/nttrans.c
+++ b/source3/smbd/nttrans.c
@@ -2303,7 +2303,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
if (!labels) {
*out_len = 16;
} else {
- *out_len = 12 + labels_data_count + 4;
+ *out_len = 12 + labels_data_count;
}
if (max_out_len < *out_len) {
@@ -2313,7 +2313,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
return NT_STATUS_BUFFER_TOO_SMALL;
}
- cur_pdata = talloc_array(ctx, char, *out_len);
+ cur_pdata = talloc_zero_array(ctx, char, *out_len);
if (cur_pdata == NULL) {
TALLOC_FREE(shadow_data);
return NT_STATUS_NO_MEMORY;
@@ -2330,7 +2330,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
}
/* needed_data_count 4 bytes */
- SIVAL(cur_pdata, 8, labels_data_count + 4);
+ SIVAL(cur_pdata, 8, labels_data_count);
cur_pdata += 12;
--
Samba Shared Repository
